This is a Windows Server 2008 R2 infrastructure
We have an IIS application pool account (let's call it IWAM_app) that needs a private key and matching certificate to decrypt data retrieved from a database. (This is *not* an SSL thing). The PKI infrastructure is Windows Server 2008 R2 Certificate Services hosted elsewhere on the network.
The IWAM account is a member of a PKI auto-enroll group so I create the key pair on the IIS server by running this command while logged on as the IWAM account: certreq -enroll -qtemplateName
If I add the IWAM account to the local Administrators group on the server, everything works fine.
As soon as I remove the IWAM account from the local Administrators group, the application receives an Access Denied error.
I ran procmon and the Access Denied is occurring (I think) from trying to open the following registry key with a "CreateKey" action (Read/Write, Delete): HKU\.DEFAULT\Software\Microsoft\SystemCertificate\My
When I run Powershell under the IWAM account and type dir cert:\currentuser\my and see my certificate with no problems.
When I watch procmon stream while the IWAM account is a member of the Local Administrators group, I see registry action against the .DEFAULT...\My key, as well as file activities in c:\users\IWAM_app\AppData\Roaming\Microsoft\SystemCertificates\My.
I don't see any registry action against HKU\"SID of the IWAM_app account"\...
Is this something I've done as part of the certreq command?
Is there any way to get around this (I could set ACL's on that .DEFAULT key, but that seems pretty unsupportable).
Thank you for ploughing through this thread. Any response is appreciated.